-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-005 Original release: 2007-06-26 Last update: 2007-06-26 Topic: kadmind vulnerable to buffer overflow Severity: CRITICAL CVE: CVE-2007-2798 CERT: VU#554257 SUMMARY ======= The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow. Exploitation of overflows of stack buffers is known to be simple. We have received a proof-of-concept exploit which may invoke a shell, but we believe that this exploit is not publicly circulated. This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== An authenticated remote user may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. AFFECTED SOFTWARE ================= * kadmind from MIT releases up to and including krb5-1.6.1 FIXES ===== * The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 maintenance release, will contain fixes for this vulnerability. Prior to that release you may: * apply the patch This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite. The krb5-1.6.1 and krb5-1.5.3 releases already contains the prerequisite patch. This patch is also available at http://web.mit.edu/kerberos/advisories/2007-005-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc *** src/kadmin/server/server_stubs.c (revision 20024) - --- src/kadmin/server/server_stubs.c (local) *************** *** 545,557 **** static generic_ret ret; char *prime_arg1, *prime_arg2; - - char prime_arg[BUFSIZ]; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; xdr_free(xdr_generic_ret, &ret); - --- 545,558 ---- static generic_ret ret; char *prime_arg1, *prime_arg2; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); *************** *** 572,578 **** ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { - --- 573,586 ---- ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! tlen1 = strlen(prime_arg1); ! trunc_name(&tlen1, &tdots1); ! tlen2 = strlen(prime_arg2); ! trunc_name(&tlen2, &tdots2); ! clen = client_name.length; ! trunc_name(&clen, &cdots); ! slen = service_name.length; ! trunc_name(&slen, &sdots); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { *************** *** 590,597 **** } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! log_unauth("kadm5_rename_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); - --- 598,612 ---- } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! krb5_klog_syslog(LOG_NOTICE, ! "Unauthorized request: kadm5_rename_principal, " ! "%.*s%s to %.*s%s, " ! "client=%.*s%s, service=%.*s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); *************** *** 600,607 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_rename_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg1); - --- 615,629 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, ! "Request: kadm5_rename_principal, " ! "%.*s%s to %.*s%s, %s, " ! "client=%.*s%s, service=%.*s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, errmsg, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1); REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 CERT: VU#554257 http://www.kb.cert.org/vuls/id/554257 ACKNOWLEDGMENTS =============== We thank iDefense for the initial notification. iDefense credits an anonymous discoverer. DETAILS ======= The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification. REVISION HISTORY ================ 2007-06-26 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI 42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r Xfd3cRNQogQ= =JE8k -----END PGP SIGNATURE-----